I'm professionally involved with this, so at this point I'm obligated to say that the following is my personal opinion and in no way representative of my employer.

Banks use a lot of information to correlate and verify customer identity. The process is called KYC, Know Your Customer [0]. The problem is that this process relies on exactly the information present in a database like Equifax's. If they did perform verification calls, they would be using the same information to verify your identity over the phone, meaning that anyone with that same information could still impersonate you.

The problem, as often pointed out, is that much of this information is much more akin to a username than a password, but is often used as the latter. I mean, someone with my drivers license has my name, address and date of birth, which is often enough to verify with most systems that don't keep SSNs.

From a technical perspective, modern cryptography would seem to give us some opportunity here. The downside here is that its usage becomes absolute -- you either have the key or you don't, regardless of the reality of your identity. The reality is that identity is a very hard problem, with many confounding issues.

[0] https://en.wikipedia.org/wiki/Know_your_customer

As I understand it, a large number of KYC requirements were enacted with the Patriot Act following 9/11. You raise the interesting point that this breach undermines these KYC rules. In this interpretation, lax Equifax security could be seen to directly empower terrorists.

I personally think a 3-factor system could work, but you'd never get the changeover to happen.

1. The government would have to invalidate all SSN numbers and re-issue them.

2. To re-issue, you have to go down to a govt office to pick up a smart-card like device (let's call it a "multi-pass" for s&g's) that would have built into it a keypad and a fingerprint scanner.

3. This person would validate you as you (perhaps you present your driver's license/id/passport/birth certificate), and issue you one of these cards and a reader device (for home).

4. The card device itself would have a unique value embedded in it, but otherwise be "blank". Perhaps the government might also have a copy of this value matched to your other info, for tax purposes (so, it would act like your SSN for tax purposes and such).

5. This value would come from a one-time programming, where in front of the official, you would scan your fingerprint, and enter your pin. The card would hash everything together, and burn the hashed value into the card's read-only memory.

6. So now - to verify your identity, you would need: The card (something you have), the pin (something you know), and your fingerprint (something you are). If one of these isn't present, you can't identify yourself.

7. To do a transaction, you'd need to slot the card in to your reader (if at home doing something online), or into a vendor's or bank's reader - then put in your pin and scan your fingerprint. It'll hash the values again, and compare with what is on the card, and output (the only output, mind you) "yes" or "no" for the question of "identification".

The downside to all of this is that if you lose your card, or your fingerprint changes, or you forget your pin (or some combo), getting a new card will be tough. But really all it should take would be another in-person visit to the same govt office - more or less.

I also admit that there are very likely other glaring flaws with this idea (beyond the fact that it won't ever be implemented because of the costs to switch over, and other issues). But I think it comes close to a potential solution.

As long as you have to be physically present and always use a reader of some sort, if you don't have any one of the pieces of info, you can't verify your identity:

1) You need the card, if you don't have that - no dice of course.

2) You need the fingerprint that was originally used - that's only going to belong to the person who originally picked and configured the card at the govt office.

3) You need the pin number - presumably only known by the proper owner of the card.

So if the card is stolen, that doesn't matter. If they chop off your hand or finger, that won't help. They'd basically have to beat the pin code out of your, chop off your finger, and steal the card. I'm not saying there aren't criminals who would do that, but they'd have to be in the minority. Plus, such criminals are not likely id thieves anyhow.

I don't think it's as far as a stretch as you believe. The DOD already issues CAC cards which includes:

* A private cryptography key. (Something you have)

* Which is PIN protected. (Something you know)

* With a photo on the front. (Something you are)

Of course, photo identification can't be easily replicated remotely. So remote use maybe only gives you two of the three.

Upside is that there's already existent card readers, along with all the infrastructure required to manage the cards and keys.

What stops the hackers to do this first and give their own telephone number? They have all your details.

The credit agencies already attempt to verify you when you request a credit report ("did you ever live on Main Street", etc.) or put a credit freeze on so it's not a new problem for them.

But this leak presumably leaked all of that information as well.

The problem is using not-secret information as an authenticator.

For sure, I'm not saying this solves everything. I just think it would be a pareto improvement from where we are now.

Exactly why the whole system is broken.

Totally agree. It's hard to believe that this is not the case already.